Mac Backdoor Linked to Lazarus Targets Korean Users


Mac Backdoor Linked to Lazarus Targets Korean Users (Nov 20, 2019)

A new backdoor has been detected by Trend Micro researchers, found targeting Mac operating systems and linked to North Korean “Lazarus” group. The researchers first analysed a malicious Macro-embedded Excel document posted on Twitter by user “cyberwar_15”. They found that the macro in the sample runs a PowerShell script that connects to three command-and-control (C&C) servers. An in-the-wild app suspected to be from the same campaign, was discovered by the researchers as it connects to the same C&C servers. This App contains two Flash Player files, one of which is malicious in a hidden Mach-O file. The infected FlashPlayer file runs a decoy video with the legitimate instance, whilst it creates a hidden file at ~/.FlashUpdateCheck. This hidden file is the backdoor and connects to the C&C servers.

Recommendation: Users should make sure to only download applications and files from legitimate and trusted sources. Defense-in-depth is the best way to ensure safety from APTs. Defense-in-Depth involves the layering of defence mechanisms. This can include network and end-point security, social engineering training (such as training exercises to help detect phishing emails) for staff and robust threat intelligence capabilities.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.